Get Connected with NAT

Last month I discussed the basic concept of Network Address Translation
(NAT) and how it’s generally used to address the problem of address space,
which has been diminishing with the growing numbers of devices attaching
themselves to the Internet. We built a frame of reference for the discussion
I want to cover this month: how NAT is implemented in Windows 2000 and
the steps necessary to install it on your system.

NAT in Win2K
In Win2K, NAT is a component of the Routing and Remote Access service
and it’s closely tied to the TCP/IP protocol stack. This integration is
manifested through supporting address mappings along with dynamic and
static port mappings as the packets flow in and out of the NAT interface
between the private and public networks.

When an IP device attempts to reach an address that’s external to the private network,
the IP Router Manager directs the packets through NAT. NAT determines
if there’s an existing mapping that can be used for this source address.
If a mapping exists, then NAT translates the address or port information
necessary for the return traffic to find the source device.

The number
of public addresses available for mapping determines whether a port number
or complete address is used. If there are multiple addresses, then one
is used as the mapping partner to the private internal address. If there’s
only one public address available, then one of the port numbers of that
address is used to map to the internal private address, which is called
Port Address Translation (PAT). If your NAT server is using multiple addresses,
it’ll go through the PAT process automatically when it runs out of public
address space, which will be transparent to the user.

Check, Double Check
The next step in this process is for NAT to look for the need for any
registered editors. As I mentioned last month, the editors are used to
modify address information that’s contained in the data portion of the
packet. If necessary, the packets are modified appropriately and a new
checksum is generated so the resulting frame isn’t discarded by standard
IP error checking. The packet is then forwarded to the external interface,
and it proceeds across the Internet as with any other packet. The destination
device won’t be aware that the packet has been modified and will respond
using the NAT interface as the ultimate source address.

When the
response traffic is received by the NAT interface, the process is reversed—except
when it checks for an existing mapping. If one doesn’t exist, the packet
is discarded instead of creating a mapping. This characteristic is commonly
used as a security enforcement point when a NAT network component is considered
part of a security design.

As you can
see, the NAT process in Win2K closely follows the generic NAT behavior
I discussed last month. As you can also imagine, unless there’s a solid
understanding of IP addressing, including subnet masking, an organization
can bump into some serious issues that’ll affect the successful connection
of its network to the Internet. In order to ease some of these problems,
Win2K combines some complementary services with its NAT implementation.

At Your
Service There are two robust services that are very useful to any IP network
and have scaled-down versions integrated into the Win2K version of NAT.
One of these services is the DHCP allocator, and the other is a DNS proxy
service. Both were added to the NAT software to help simplify the configuration
needs of smaller networks (such as SOHO environments) where there may
be a lack of on-site expertise.

The DHCP
allocator service is a mini DHCP server that provides the minimum amount
of information for a client to participate on an IP network. Unlike a
full-featured DHCP server, the information dispensed by the NAT DHCP allocator
is limited to the following:

Subnet
mask

Default
gateway

DNS server

Renewal
time

Rebinding
time

IP address
lease time

DNS domain

These are
the only options available with this mini version of DHCP, and it only
supports one set or scope of addresses. As you can see, the NAT DHCP allocator
doesn’t supply service for a network of any significant size, but it does
address the needs of very small networks. If you have a network that requires
multiple scopes and the other functions in a full DHCP server, you’ll
need to disable the DHCP allocator component of the NAT software and install
a full version of the DHCP server.

NAT uses
the DNS proxy to provide basic name-resolution service by passing the
resolution requests to a regular DNS server that’s configured for the
NAT device’s IP stack. This is usually going to be the DNS server that’s
provided by your ISP. By providing this function, a small organization
doesn’t have to have any more expertise in DNS than it would need to configure
an IP stack per its ISP’s instructions. As with the DHCP allocator, the
NAT DNS proxy isn’t needed if you have a full-featured DNS system.

Nuts and Bolts
When you install Win2K Server, the NAT software components are installed
automatically, but they’re disabled by default. Before you enable the
NAT software, make sure you have the hardware necessary to have an interface
on your internal network and an interface on your external network. For
example, you may need an Ethernet NIC on your internal private network
and an ISDN adapter for the connection to your ISP. After you’ve installed
the appropriate hardware, select the Start | Administrative Tools | Configure
Server menu option to bring up Figure 1.

Figure 1. Once you ensure that you’ve installed
the required hardware, you can begin the process of configuring your
server and obtain further information regarding remote access.

You’re provided
with information regarding Remote Access and an option to learn more about
it, which will open the fairly detailed help files. When you click on
the Open Routing and Remote Access, the screen in Figure 2 is presented.

Select the
Action menu option and you’ll see a Configure and Enable Routing and Remote
Access screen, which brings up an installation wizard. The first important
screen displays several configurations available for the router software.
After you select one of the configurations, such as Internet Connection
Server, you’re allowed to choose a “minified” version of NAT, called Internet
Connection Sharing (ICS), or the fully configurable version of NAT as
shown in Figure 3.

Figure 3. Once you begin the installation wizard,
you can choose either ICS, which is a limited version of NAT, or a
fully configurable version of NAT.

Keeping it Simple
ICS is for very, very small networks and doesn’t allow any configuration
changes, including disabling the DHCP allocator or even the range of private
IP addresses. This is for those organizations that simply want the devices
on its small network to access each other and the Internet. They may not
have anyone available to understand how the IP protocol works — or wouldn’t
gain any benefit from the otherwise resulting complexity. They can just
enable ICS, configure all workstations for DHCP and get to work. However,
if, for example, you have any other domain controllers, DNS or DHCP servers,
or even other statically addressed devices on your network, you need to
select NAT and bypass the rigidity of ICS. Under the covers, they provide
the same functionality. ICS is just a static configuration of NAT.

After you
choose NAT and press Next, the available interfaces are displayed, showing
you the type of connection, the IP addresses of each connection, and the
logical name of the interface (Figure 4). Here you can choose a synchronous
connection or create a dial-up asynchronous connection to your ISP. After
you select either a demand-dial connection or two physical connections
as shown in Figure 4, you’re presented with a final screen and the service
is enabled.

Figure 4. Once you’ve chosen NAT, the available
interfaces are displayed, showing you the type of connection, the
IP addresses of each connection and the logical name of the interface.

When you
return to the Routing and Remote Access menu option, you can see the new
options related to routing to configure (Figure 5).

Figure 5. Once you’ve chosen your connection
and enabled the service, the Routing and Remote Access menu offers
you new routing options.

I’m interested
in the NAT component, so I’ve selected the Properties page of that in
the Routing and Remote Access administrative tool. This brings up the
general configuration options for NAT.

Setting up Shop
The
General tab lets you enable the logging of events and warnings. The Translation
tab allows you to set the length of time that dynamic mappings for TCP
and UDP packets will last. This is also where you can control access to
specific applications by reserving their port numbers. The Name Resolution
tab allows you to turn on the DNS proxy software. The Address Assignment
tab (Figure 6) is where you can enable the DHCP allocator and set the
internal private IP address of the NAT server itself. You can also exclude
any static addresses that you may have configured on the internal private
side of the network. At the main Routing and Remote Access administration
interface tool (Figure 7), you can manage each interface independently.
By right-clicking on Properties, I can now configure Cox Cable, which
is the public interface on this machine. This brings up Figure 8.

Figure 6. NAT’s Properties tabs lead to a variety
of options, including address assignment, which lets you enable the
DHCP allocator and set the internal private IP address of the NAT
server itself.

Figure 8. Via the Properties page, you can configure
the public interface on the machine and confirm your settings.

The general
tab displays that this, indeed, is the public interface and that header
translation is enabled. The address pool tab allows you to enter a range
of public addresses available for translations mapping. There’s also an
option to create any static mappings that you might want to create as
shown in Figure 9.

Figure 9. You can create any static mappings
and reserve an IP address from the public address pool for a specific
computer on the private network.

The Port
Tab is used when you have only one public address available, which, of
course, is the one bound to the public interface. Here you can create
any port mapping assignments that you want to make statically.

While the
basic setup of NAT is fairly straightforward, you need to have an understanding
of the applications you want available or to be able to reach through
NAT. The main piece of information you usually need to consider is the
port number, or numbers, that the applications use to identify themselves
in the TCP or UDP sessions. I’d recommend that you fully test your NAT
configuration with any applications you need in an isolated environment
before moving it into production.

That said,
I’d encourage you, particularly if you’re in a small organization, to
explore and take advantage of the possibilities and flexibility that NAT
can bring to your network. Also, keep in mind that in this scenario the
Win2K server was directly connected to the Internet sans security. So
be sure to keep yourself (and your network) protected. Enjoy!